CVE-2023-2257

Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to enter the password via an unimplemented "Force Login" security feature. This vulnerability occurs only if "Force Login" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://devolutions.net/security/advisories/DEVO-2023-0011	Vendor Advisory
https://devolutions.net/security/advisories/DEVO-2023-0011	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:devolutions:workspace:*:*:*:*:desktop:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

21 Nov 2024, 07:58

Type	Values Removed	Values Added
References	~~() https://devolutions.net/security/advisories/DEVO-2023-0011 - Vendor Advisory~~	() https://devolutions.net/security/advisories/DEVO-2023-0011 - Vendor Advisory

04 May 2023, 15:55

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:devolutions:workspace:::::desktop:::* cpe:2.3:o:apple:macos:-:::::::*
References	~~(MISC) https://devolutions.net/security/advisories/DEVO-2023-0011 -~~	(MISC) https://devolutions.net/security/advisories/DEVO-2023-0011 - Vendor Advisory
CWE		CWE-863

24 Apr 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-04-24 19:15

Updated : 2025-02-04 16:15

NVD link : CVE-2023-2257

Mitre link : CVE-2023-2257

CVE.ORG link : CVE-2023-2257

JSON object : View

Products Affected

microsoft

windows

apple

macos

devolutions

workspace

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2023-2257", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 1.8}]}, "published": "2023-04-24T19:15:09.820", "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2023-0011", "tags": ["Vendor Advisory"], "source": "security@devolutions.net"}, {"url": "https://devolutions.net/security/advisories/DEVO-2023-0011", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub \nBusiness space without being prompted to enter the password via an \nunimplemented \"Force Login\" security feature.\n\nThis vulnerability occurs only if \"Force Login\" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space.\n"}], "lastModified": "2025-02-04T16:15:36.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:workspace:*:*:*:*:desktop:*:*:*", "vulnerable": true, "matchCriteriaId": "4C4BA203-752A-421F-9A01-4127E6E3DDE7", "versionEndExcluding": "2023.1.1.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@devolutions.net"}